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Abstract. We show that any two-party quantum computation, specified 
by a unitary which simultaneously acts on the registers of both parties, 
can be securely implemented against a quantum version of classical semi- 
honest adversaries that we call specious. 

We first show that no statistically private protocol exists for swapping 
qubits against specious adversaries. The swap functionality is modeled 
by a unitary transform that is not sufficient for universal quantum com- 
putation. It means that universality is not required in order to obtain 
impossibility proofs in our model. However, the swap transform can easily 
be implemented privately provided a classical bit commitment scheme. 
We provide a simple protocol for the evaluation of any unitary transform 
represented by a circuit made out of gates in some standard universal 
set of quantum gates. All gates except one can be implemented securely 
provided one call to swap made available as an ideal functionality. For 
each appearance of the remaining gate in the circuit, one call to a classical 
AND-box is required for privacy. The AND-box can easily be constructed 
from oblivious transfer. It follows that oblivious transfer is universal for 
private evaluations of unitaries as well as for classical circuits. 
Unlike the ideal swap, AND-boxes are classical primitives and cannot be 
represented by unitary transforms. It follows that, to some extent, this 
remaining gate is the hard one, like the AND gate for classical two-party 
computation. 



1 Introduction 



In this paper, we address the problem of privately evaluating some unitary trans- 
form U upon a joint quantum input state held by two parties. Since unitaries 
model what quantum algorithms are implementing, we can see this problem as 
a natural extension of secure two-party evaluation of functions to the quantum 
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realm. Suppose that a state |^ in ) <G A® B is the initial shared state where Alice 
holds register A and Bob holds register B. Let U <G U(*4 ® B) be some unitary 
transform acting upon A and B. What cryptographic assumptions are needed 
for a private evaluation of |0 O ut) = E^l^in) where private means that each player 
learns no more than in the ideal situation depicted in Fig. 1? Of course, answers 
to this question depend upon the adversary we are willing to tolerate. 

In [21], it was shown that unitaries cannot be 
used to implement classical cryptographic prim- 
itives. Any non-trivial primitive implemented by ^ A A ~ u ~ A I ^ ^ 
unitaries will necessarily leak information toward 111 (b — 1__| — B J 
one party. Moreover, this leakage is available to a 

weak class of adversaries that can be interpreted _,. „ T , , _, 

, , . ni-i -i n Fig. 1. Ideal functionality 

as the quantum version ol classical semi-honest ad- , ., TT 
r „ , for unitary U . 

versaries. It follows that quantum two-party com- 
putation of unitaries cannot be used to implement 

classical cryptographic primitives. This opens the possibility that the crypto- 
graphic assumptions needed for private evaluations of unitaries are weaker than 
for their classical counterpart. So, what classical cryptographic assumptions, if 
any, are required to achieve privacy in our setting? Are there unitaries more 
difficult to evaluate privately than others? 

In this work, we answer these questions against a class of weak quantum 
adversaries, called specious, related to classical semi-honest adversaries. We say 
that a quantum adversary is specious if at any step during the execution of a 
protocol, it can provide a judge with some state that, when joined with the state 
held by the honest player, will be indistinguishable from a honest interaction. 
In other words, an adversary is specious if it can pass an audit with success 
at any step. Most known impossibility proofs in quantum cryptography apply 
when the adversary is restricted to be specious. Definitions similar to ours have 
been proposed for the quantum setting and usually named semi-honest. However, 
translating our definition to the classical setting produces a strictly stronger class 
of adversaries than semi-honest 4 , as demonstrated in Appendix B which justifies 
not adopting the term semi-honest. We propose the name specious as the core 
of the definition is that the adversary must appear to act honestly. 

Contributions. First, we define two-party protocols for the evaluation of uni- 
taries having access to oracle calls. This allows us to consider protocols with 
security relying on some ideal functionalities in order to be private. We then say 
that a protocol is in the bare model if it does not involve any call to an ideal 
functionality. We then formally define what we mean by specious adversaries. 



4 As an example, assume there exist public key cryptosystems where you can sample 
a public key without learning the secret key. Then this is a semi-honest oblivious 
transform: The receiver, with choice bit c, samples pk c in the normal way and learns 
its corresponding secret key and samples pki- c without learning its secret key. He 
sends (pko,pki). Then the sender sends {E pko (mo), E pkl (mi)) and the receiver de- 
crypts E p k c (m c ). This is not secure against a specious adversary who can sample 
pki- c along with its secret key ski~ c and then delete sfci_ c before the audit. 



Privacy is then denned via simulation. We say that a protocol for the two-party 
evaluation of unitary U is private against specious adversaries if, for any joint 
input state and at any step of the protocol, there exists a simulator that can 
reproduce the adversary's view having only access to its own part of the joint 
input state. Quantum simulation must rely on a family of simulators for the 
view of the adversary rather than one because quantum information does not 
accumulate but can vanish as the protocol evolves. For instance, consider the 
trivial protocol that let Alice send her input register to Bob so that he can apply 
locally |0out) = L^l^in) before returning her register. The final state of such a 
protocol is certainly private, as Bob cannot clone Alice's input and keep a copy, 
yet at some point Bob had access to Alice's input thus violating privacy. No 
simulator can possibly reproduce Bob's state after he received Alice's register 
without having access to her input state. 

Second, we show that no protocol can be shown statistically private against 
specious adversaries in the bare model for a very simple unitary: the swap gate. 
As the name suggests, the swap gate simply permutes Alice's and Bob's input 
states. Intuitively, the reason why this gate is impossible is that at some point 
during the execution of such protocol, one party that still has almost all its 
own input state receives a non-negligible amount of information (in the quan- 
tum sense) about the other party's input state. At this point, no simulator can 
possibly re-produce the complete state held by the receiving party since a call 
to the ideal functionality only provides access to the other party's state while 
no call to the ideal functionality only provides information about that party's 
own input. Therefore, any simulator cannot re-produce a state that contains in- 
formation about the input states of both parties. It follows that cryptographic 
assumptions are needed for the private evaluation of unitaries against specious 
adversaries. On the other hand, a classical bit commitment is sufficient to im- 
plement the swap privately in our model. 

Finally, we give a very simple protocol for the private evaluation of any uni- 
tary based on ideas introduced by [11, 10] in the context of fault tolerant quantum 
computation. Our construction is similar to Yao's original construction in the 
classical world[26, 13]. We represent any unitary U by a quantum circuit made 
out of gates taken from the universal set UQ = {A, Y, Z, CNOT, H, P, R} [17]. The 
protocol evaluates each gate of the circuit upon shared encrypted input where 
the encryption uses the Pauli operators {X, Y, Z} together with the identity. In 
addition to the Pauli gates X, Y, and Z, gates CNOT, H, and P can easily be 
performed over encrypted states without losing the ability to decrypt. Gates of 
that kind belong to what is called the Clifford group. The CNOT gate is the only 
gate in UQ acting upon more than one qubit while the R-gate is the only one that 
does not belong to the Clifford group. In order to evaluate it over an encrypted 
state while preserving the ability to decrypt, we need to rely upon a classical 
ideal functionality computing securely an additive sharing for the AND of Alice's 
and Bob's input bits. We call this ideal functionality an AND-box. Upon input 
x G {0, 1} for Alice and y € {0, 1} for Bob, it produces a {0, 1} and b e {0, 1} 
to Alice and Bob respectively such that a © b — x A y. An AND-box can be ob- 



tained from any flavor of oblivious transfer and is defined the same way than 
an NL-box[18, 19] without the property that its output can be obtained before 
the input of the other player has been provided to the box (i.e., NL-boxes are 
non-signaling). The equivalence between AND-boxes, NL-boxes, and oblivious 
transfer is discussed in [25]. At the end of the protocol, each part of the shared 
key allowing to decrypt the output must be exchanged in a fair way. For this 
task, Alice and Bob rely upon an ideal swap functionality called SWAP. The re- 
sult is that any U can be evaluated privately upon any input provided Alice and 
Bob have access to one AND-box per R-gate and one call to the an ideal swap. 
If the circuit happens to have only gates in the Clifford group then only one call 
to an ideal swap is required for privacy. In other words, SWAP is universal for 
the private evaluation of circuits in the Clifford group (i.e., those circuits having 
no R-gate) and itself belongs to that group (SWAP is not a classical primitive). 
To some extent, circuits in the Clifford group are the easy ones. Privacy for cir- 
cuits containing R-gates however needs a classical cryptographic primitive to be 
evaluated privately by our protocol. It means that AND-boxes are universal for 
the private evaluation of any circuit against specious adversaries. We don't know 
whether there exist some unitary transforms that are universal for the private 
evaluation of any unitary against specious adversaries. 

Previous works. All impossibility results in quantum cryptography we are aware 
of apply to classical primitives. In fact, the impossibility proofs usually rely upon 
the fact that an adversary with a seemingly honest behavior can force the im- 
plementation of classical primitives to behave quantumly. The result being that 
implemented that way, the primitive must leak information to the adversary. 
This is the spirit behind the impossibility of implementing oblivious transfer 
securely using quantum communication[14]. In that same paper the impossi- 
bility of any one-sided private evaluation of non-trivial primitives was shown. 
All these results can be seen as generalizations of the impossibility of bit com- 
mitment schemes based on quantum communication [15, 16]. The most general 
impossibility result we are aware of applies to any non-trivial two-party classi- 
cal functional]. It states that it suffices for the adversary to purify its actions 
in order for the quantum primitive to leak information. An adversary purify- 
ing its actions is specious as defined above. None of these impossibility proofs 
apply to quantum primitives characterized by some unitary transform applied 
to joint quantum inputs. Blind quantum computation is a primitive that shows 
similarities to ours. In [6], a protocol allowing a client to get its input to a quan- 
tum circuit evaluated blindly has been proposed. The security of their scheme 
is unconditional while in our setting almost no unitary allows for unconditional 
privacy. 

An unpublished work of Smith [23] shows how one can devise a private pro- 
tocol for the evaluation of any unitary that seems to remain private against all 
quantum adversaries. However, the techniques used require strong cryptographic 
assumptions like homomorphic encryption schemes, zero-knowledge and witness 
indistinguishable proof systems. The construction is in the spirit of protocols for 
multiparty quantum computation[4, 8] and fault tolerant quantum circuits[22, 



2]. Although our protocol only guarantees privacy against specious adversaries, 
it is obtained using much weaker cryptographic assumptions. 

Organization. We introduce protocols for the two-party evaluation of unitaries 
in Sect. 2.1. In Sect. 3, we define the class of specious quantum adversaries and 
in Sect. 3.3, we define privacy. We show in Sect. 4 that no private protocol exists 
for swap. The description of our protocol follows in Sect. 5 and the proof of 
privacy is in Appendix E. 

2 Preliminaries 

The A^-dimensional complex Euclidean space (i.e., Hilbert space) will be denoted 
by Hn ■ We denote quantum registers using calligraphic typeset A. As usual, A® 
B denotes the space of two such quantum registers. We write A ~ B when A and 
B are such that dim(„4) = dim(B). A register A can undergo transformations 
as a function of time; we denote by Ai the state of space A at time i. When a 
quantum computation is viewed as a circuit accepting input in A, we denote all 
wires in the circuit by w e A. If the circuit accepts input in A ® B then the set 
of all wires is denoted we^UK. 

The set of all linear mappings from A to B is denoted by ~L(A, B) while L(_4) 
stands for L(A, A). To simplify notation, for p e L(A) and M e L(A,B) we 
write M ■ p for M pM^ . 

We denote by Pos(*4) the set of positive semi-definite operators in A. The 
set of positive semi-definite operators with trace 1 acting on A is denoted D(^4); 
D(_4) is the set of all possible quantum states for register A. An operator A e 
L(A, B) is called a linear isometry if A^A = 1^. The set of unitary operators 
(i.e., linear isometries with B = A) acting in A is denoted by U(*4). The identity 
operator in A is denoted I.4 and the completely mixed state in D(A) is denoted 
by I4. For any positive integer N > 0, Ijv and In denote the identity operator 
respectively the completely mixed state in Hn- When the context requires, a 
pure state € AB will be written \ip) AB to make explicit the registers in 
which it is stored. 

A linear mapping <P : L(A) h-> L(Z?) is called a super- operator since it belongs 
to L(L(A),L( B ))- <P is said to be positive if <t>(A) e Pos(£) for all A e Pos(^). 
The super-operator <f> is said to be completely positive if <P <£> 1l(z) is posi- 
tive for every choice of the Hilbert space Z. A super-operator <P can be phys- 
ically realized or is admissible if it is completely positive and preserves the 
trace: tr(^(A)) = ti{A) for all A e h{A). We call such a super-operator a 
quantum operation. Any quantum operation <P : L(_4) i-> L(B) can be writ- 
ten in its Kraus form |^.j.^™(- A ) dlm ( e ) w here Ej e L(A,B) for every j such 

that <P(p) = Y,j E oP E ]i for an y P e Pos(.4) and where Y,j E ) E i = ^B- An- 
other way to represent any quantum operation is through a linear isometry 
W G L(A,B®Z) such that <P(p) = tiz{W ■ p), for some extra space Z. Any such 
isometry W can be implemented by a physical process as long as the resource to 
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Fig. 2. The teleportation circuit 



implement the space Z is available. This is just a unitary transform in \]{A®Z) 
where the system in Z is initially in known state \0z)- 

For two states po,Pi € D(_4), we de- 
note by A(p ,pi) the trace norm distance 
between p and p x : Zi(p , pi) := 5 ||po - Pill- 
If Z\(p ,pi) < £ then any quantum process 
applied to p behaves exactly as for pi ex- 
cept with probability at most e [20]. 

We let Ci be the Pauli group (the set of 
tensor products of the three Pauli matrices X, Y, and Z, see Appendix A, and 
the 2x2 identity matrix I2). Furthermore, C^+i is then defined recursively for 
i > 1 as Ci+i = {U\UCiW £ Ci}, where C2 is called the Clifford group. 

The Bell measurement is a complete orthogonal measurement on two qubits 
made out of the measurement operators {|^ o)(#o o|, \&o i|, |^i,o)(*i o|, |^i lX^i i|} 
where := ^(|00>+|11», := ^(|00)-|ll))>i, ) := ^(|01>+|10>), 

and |!^i,i) := (|01) — 1 10)) . The outcome \& x ,z) of the Bell measurement is 
identified by the two classical bits (x,z) € {0, l} 2 . The quantum one-time-pad 
is a perfectly secure encryption of quantum states [3]. It encrypts a qubit \ip) as 
X x Z z \ip), where the key is two classical bits, (x,z) € {0, l} 2 and X°Z° = 1, 
A°Z 1 = Z, X 1 Z" = X and X X Z X = Y are the Pauli operators. Quantum tele- 
portation^] can be used to implement the quantum one-time-pad. Consider the 
teleportation circuit in Fig. 2. If the state to encrypt is \if>) then the state of the 
lower wire before entering the out-dashed box is the encryption of \ip) under a 
uniformly random key produced by the Bell measurement. The two gates inside 
the dashed-box is the decryption circuit. 



2.1 Modeling two-party strategies 

Consider an interactive two-party strategy between parties srf and 99 and 
oracle calls G. can be modeled by a sequence of quantum operations for 
each player together with some oracle calls also modeled by quantum operations. 
Each quantum operation in the sequence corresponds to the action of one party 
at a certain step of the strategy. The following definition is a straightforward 
adaptation of ra-turn interactive quantum strategies as described in [12]. The 
main difference is that here, we provide a joint input state to both parties and 
that quantum transmissions taking place during the execution is modeled by a 
quantum operation; one that is moving a state on one party's side to the other 
party. 

Definition 2.1. A n-step two party strategy with oracle calls denoted = 
(gtf, 98, n) consists of: 

1. input spaces Aq and Bo for parties srf and 98 respectively, 

2. memory spaces A\ , . . . , A n and B\ , . . . , B n for srf and 9$ respectively, 

3. an n-tuple of quantum operations {si\, . . . , srf n ) for stf , s^i : L(Ai-\) h-> 
L(A), (1 < i < n), 



4- an n-tuple of quantum operations {S8\, ■ ■ ■ , 3S n ) for 3§i : L(Bj_i) i->- 
L(Bj), (1 < i < n), 

5. memory spaces Ai , . . . , -4„ and Bi , . . . , B„ can be written as Ai = Af ® ■ 
and Bi = Bf ® B\, (1 < i < n), and ^ = (<^i, . . . , G n ) is an n-tuple of 
quantum operations: G t : L(Af <g> Bf ) L(Af <g> Bf ), (1 < i < n). 

If II ~ 23, n) is a n-turn two-party protocol then the final state of the inter- 
action upon input state p m G T)(Ao®Bq®1Z), where 1Z is a system of dimension 
dim 1Z = dim Aq dim Bo , is: 

K © ^](Pin) : = (1l(^®B;®7?.) O ^n)(^4 ®2$ n ® 1 K ) 

• • • (lLCAiBBiBW) ® ® #1 ® l^)(pin) ■ 

Step « of the strategy corresponds to the actions of and 2$i followed by the 
oracle call Gi. 

Note that we consider input states defined on the input systems together 
with a reference system 1Z; this allows us to show the correctness and privacy 
of the protocol not only for pure inputs, but also for inputs that are entangled 
with a third party. This is the most general case allowed by quantum mechanics. 

A two-party strategy is therefore defined by quantum operation tuples (g/i , . . . , 
. . . , 28 n ), and (G\, . . . , G n ). These operations also define working spaces 
Ao 7 - ■ ■ , A n , Bo, ■ • ■ , B„ together with the input-output spaces to the oracle calls 
Af and Bf for 1 < i < n. 

A communication oracle from Alice to Bob is modeled by having Af ~ 
Bf and letting Gi move the state in Af to Bf and erase Af . Similarly for 
communication in the other direction. We define a bare model protocol to be one 
which only uses communication oracles. 

3 Specious Quantum Adversaries 
3.1 Protocols for two-party evaluation 

Let us consider two-party protocols for the quantum evaluation of unitary trans- 
form U G U(.4o <S> Bo) between parties g/ and 3§ upon joint input state p la G 
D(_4 ® Bo <8> TZ). We define these protocols as two-party interactive strategies 
with placeholder for the output as follows: 

Definition 3.1. A two-party protocol TTf = {si ',2§, G,n) for U G U(A a ® B ) 
is an n-step two-party strategy with oracle calls, where A n ~ Ao and B n ~ Bo- 
It is said to be £-correct if 

A ([e/ © 2§}(p in ), (U <g> l n ) ■ pi n ) < e for all p in G D(_4 ® B ® K) . 

We denote by IIjj a two-party protocol in the bare model where, without loss of 
generality, we assume that &2i+i ft) < i < |_§JJ implements a communication 
channel from to 2? and Gn (1 < i < \J%\) implements a communication 
channel from 28 to srf ' . Communication oracles are said to be trivial. 



In other words, a two-party protocol 77^ for unitary U is a two-party interac- 
tive strategy where, at the end, the output of the computation is stored in the 
memory of the players. 77^ is correct if, when restricted to the output registers 
(and 1Z), the final quantum state shared by and 98 is (U <g> 1^) • pin. 

As it will become clear when we discuss privacy in Sect. 3.3, we need to 
consider the joint state at any step during the evolution of the protocol. We 
define, 

Pl(Pin) := (HiA&B&K) ® ^l)(M ®9$x® lL(TC))(Pin), 
Pi+l(Pin) := (H(B' t+1 ®A' t+1 ®n) ® ® ® lL(TC))(P»(Pin)) , (1) 

for 1 < i < n. We also write the final state of 77^ upon input state p m as 

Pn(pin) = K©^](/Oi„). 

3.2 Modeling Specious Adversaries 

Intuitively, a specious adversary acts in any way apparently indistinguishable 
from the honest behavior, in the sense that no audit can distinguish the behavior 
of the adversary from the honest one. 

More formally, a specious adversary in 77^ = (stf ', 93, 6 ', n) may use an ar- 
bitrary large quantum memory space. However, at any step 1 < i < n, the 
adversary can transform its own current state to one that is indistinguishable 
from the honest joint state. These transforms are modeled by quantum opera- 
tions, one for each step of the adversary in 77^, and are part of the adversary's 
specification. We denote by (9\, . . . , 9^ n ) these quantum operations where 9^ 
produces a valid transcript at the end of the i-ih step. 

Let st and 98 be adversaries in 77^. We denote by IJ§{^) = (srf,98, 0,n) 
and II® (98) = (gf, 98 , G, n) the resulting n-step two-party strategies. We denote 
by Pi{g?,p- m ) the state defined in (1) for protocol II®(srf) and similarly by 
Pi(98,p m ) that state for protocol II® (98). 

Adding the possibility for the adversary to be e- close to honest, we get the 
following definition: 

Definition 3.2. Let II® — (si ,98,6 ,n) be an n-step two-party protocol with 
oracle calls for U £ U(.4o ® Bo)- We say that: 

— is e-specious if II® (si) — {srf \9S,&,ri) is an n-step two-party strategy 
with Ao = Ao and there exists a sequence of quantum operations (9?\ , . . . , £? n ) 
such that: 

1. for every 1 < i < n, ,% : L(Ai) >->• ~L{Ai), 

2. for every input state p- m £ D(Ao ®Bq®TZ), and for all 1 < i < n, 



— 98 is ^-specious if II® (98) — (s/, 98, 6 ', n) is a n-step two-party strategy with 
Bo = Bo and there exists a sequence of quantum operations (5\, . . . , 3? n ) such 




that: 



1. for every 1 < i < n, ,% : h{B t ) ^ h{B t ), 

2. for every input state p m G D(_4 ®Bq®1Z), and for all 1 < i < n, 

A ((Il^k) ® &i) (pi(S,PuS) ,pi(puS) < £ ■ 

If a party is e(m) -specious with e(m) negligible for m a security parameter then 
we say that this party is statistically specious. 

3.3 Privacy 

Privacy for II® is denned as the ability for a simulator, having only access to 
the adversary's input and the ideal functionality U, to reproduce the state of 
the adversary at any step in the execution of 11®. Our definition is similar to 
the one introduced in [24] for statistical zero-knowledge proof systems. 

A simulator for an adversary in II® is represented by a sequence of quantum 
operations (^i)" =1 , where ^ re-produces the view of the adversary after step i. 
S^i initially receives the adversary's input and has access to the ideal functional- 
ity for U evaluated upon the joint input of the adversary and the honest player. 
Because of no-cloning, a simulator calling U loses its input, and the input might 
be required to simulate e.g. early steps in the protocol, so we have to allow that 

does not call U. For this purpose we introduce a bit qt <G {0, 1}. When qi = 0, 
S^i does not call U and when qi = 1, S?i must first call the ideal functionality U 
before performing some post-processing. More precisely, 

Definition 3.3. Let IlfJ = (si/, $3, 0, n) be an n-step two-party protocol for 
U e B(A a <g> S ). Then, 

— 5^ (si) — . . . , ,y n ),q) is a simulator for adversary si in II® if it consists 
of: 

1. a sequence of quantum operations (S^i, . . . , S^n) where for 1 < i < n, 
S>i : L(Ao) ^ L(A), 

2. a sequence of bits q € {0, 1}" determining if the simulator calls the ideal 
functionality at step i: qi = \ if] the simulator calls the ideal functional- 
ity- 

— Similarly, 5? (88) — ((S?\, . . . , J^n), q') is a simulator for adversary in II® 
if it consists of: 

1. a sequence of quantum operations (S^i,. . . ,S fi n ) where for 1 < i < n, 

: L(B ) ^ L(Bi) 

2. a sequence of bits q' € {0, 1}™ determining if the simulator calls the ideal 
functionality at step i: q\ = 1 iff the simulator calls the ideal functional- 
ity. 

Given an input state p- m € D(^4 ® Bo ® TV), we define the si's respectively 8S's 
simulated views as: 



Vi(*?,pin) ■= tr Bo ((& ® l L (Bo®7l)) (( U9i ® lw) • Pin)) , 



^(J,p in ) := It Ao ([\ HAa ®n) ® &i) ({U q[ ® Ik) ■ Pin)) • 

We say that protocol LJ$ is private against specious adversaries if there exits a 
simulator for the view at any step of any such adversary. In more details, 

Definition 3.4. Let Ilff = 28, 6, n) be a protocol for U E ~U(A <g> B ) and 
let < S < 1. We say that II® is 5-private against ^-specious srf if there ex- 
ists a simulator y(.e/) such that for all input states p m G D(_4 ® Bq ® TV) 
and for all 1 < i < n, A {i>i(srf , p in ), tr Bi {piisrf , Pi n ))) < S. Similarly, we say 

that Ujj is 5-private against e-specious 28 if there exists a simulator y(28) 
such that for all input states p m G D(.4o <g> Bq <E> TV) and for all 1 < i < 

n, A {i>i{38, pi n ), tr_4 ; (p~i(28, pin))) < 5. Protocol LI® is ^-private against s— 

specious adversaries if it is S-private against both £/ and 28. For 7 > 0, if 
LJfj is 2~ im -private for m e N + a security parameter then we say that II® is 
statistically private. 

One should keep in mind that 5 should be kept small compared to the number 
of rounds, since the protocol is only secure if we can ensure that, with high 
probability, the adversary cannot behave differently in the simulated world at 
any of the rounds. If Sn is kept small, we can use the union bound over all the 
rounds to ensure this. 

We show next that for some unitary, statistical privacy cannot be satisfied 
by any protocol in the bare model. 

4 Unitaries with no private protocols 

In this section, we show that no statistically private protocol for the swap gate 
exists in the bare model. The swap gate, denoted SWAP, is the following unitary 
transform: 

SWAP : \cP A ) A °\cp B f° ^ \cPb) Ao \<Pa) Bo , 

for any one qubit states \4>a) € Aq and \4>b) € Bq (i.e., dim (Ao) = dim (Bo) = 2). 
Notice that SWAP is in the Clifford group since it can be implemented with three 
CNOT gates. It means that universality is not required (gates in the Clifford 
groups are not universal for quantum computation) for a unitary to be impossible 
to evaluate privately. The impossibility of SWAP essentially follows from no 
cloning. 

Theorem 4.1 (Impossibility of swapping). There is no correct and statis- 
tically private two-party protocol TTswap = 0,n(m)) in the bare model. 

Using this line of reasoning, Theorem 4.1 can be extended to apply to any 
protocol for almost any unitary preventing both parties to recover their input 
states from its output. 



Sufficient Assumptions for Private SWAP. A private protocol for SWAP 
in the bare model would exist if the players could rely on special relativity and 
a lower bound on their separation in space: they simply send their messages 
simultaneously. The fact that messages cannot travel faster than the speed of 
light ensures that the messages are independent of each other. It is also straight- 
forward to devise a private protocol for SWAP based on commitment schemes. 
s/ sends one half EPR-pair to 38 while keeping the other half, srf then teleports 
(without announcing the outcome of the measurement) her register and commits 
on the outcome of the Bell measurement. 38 sends his register to srf before she 
opens her commitment. This allows 38 to reconstruct sf's initial state. 

5 The Protocol 

We now describe a private protocol for the two-party evaluation of any unitary 
U G \J(A ® B ) denoted by Pg = (s/* , 38*, 6, n v + 1) where U is represented 
by a circuit Cu with u gates 'mUQ. We slightly abuse the notation with respect 
to the parameter nu + 1. Given circuit Cu, we let nu be the number of oracle 
calls (including calls to communication oracles). Setting the last parameter to 
njj + 1 instead of nu comes from the fact that in our protocol, s/* and 38* 
have to perform a last operation each in order to get their outcome. These 
last operations do not involve a call to any oracle. Let Gj be the j-th gate in 
Cu — G u Gu-i ■ ■ ■ G\. The protocol is obtained by composing sub-protocols for 
each gate similarly to well-known classical constructions[26, 13]. Notice that Pff 
will not be presented in the form of Definition 3.1. si* is not necessarily sending 
the first and the last messages. This can be done without consequences since 
we provide a simulation for each step where a message from the honest party is 
received or the output of a call to an ideal functionality is available. Putting Py 
in the standard form of Definition 3.1 is straightforward and changes nothing to 
the proof of privacy. 

The evaluation of each gate is performed over shared encrypted states. Each 
wire in Cu will be updated from initially holding the input p; n G T)(Ao®Bq®'R) 
to finally holding the output (U ® 1-jz) • Pin G D(_4 ® Bo (g>7£). The state of wires 
w G Ao U Bo after the evaluation of Gj are stored at s/*'s or 38*'s according if 
w G Ao or w G Bo- The shared encryption keys for wire w G Ao U Bo updated 
after the evaluation of Gj are denoted by K^, (w) = {X 3 ^, (w), Z 3 ^, (w)) G {0, l} 2 
and #^„(w) = (X J sg ,(w),Z J ]g,(w)) G {0, l} 2 for si* and 38* respectively and are 
held privately in internal registers of each party. 

The final phase of the protocol is where a call to an ideal functionality is 
required, s/* and 38* exchange their own part of each encryption key for the 
other party's wires. In order to do this, the key-releasing phase invokes an ideal 
SWAP-gate as functionality: ff nu : L(A% V <g> B® v ) ^ HA^ <g> B% v ), where 
^nu(p) '■— SWAP • p. Upon joint input state p- ln G D(^4o ® Bo ® protocol 
p®( u ) runs the following phases: 

Initialization: We assume that s/* and 38* have agreed upon a description of 
U by a circuit Cu made out of u gates (G\, . . . , G u ) in UQ . For all wires 



w e Ao U So, £#* and ^* set their initial encryption keys as K^,(w) = 
(X^(w),^,(w)) := (0,0) and J&.(w) = (X&.(v), Z&.(v)) := (0,0) re- 
spectively. 

Evaluation: For each gate number 1 < j < u, srf* and evaluate Gj as 
described in details below. This evaluation results in shared encryption un- 
der keys K^(v) = (^.(w),Z^.(w)) and ^.(w) = (X^(w),Z^(w)) for 
all wires w e _4 U £>o, which at that point hold a shared encryption of 
((GjGj-i . . .G\) <g> Ik) • Pin- Only the evaluation of the R-gate requires a 
call to an ideal functionality (i.e., an AND-box). 

Key-Releasing: Let A% and 13% be the set of registers holding respectively 
= (X£.(w),.Z£.(w)) for w e B Q and = (X£. (w) , Z%, (w) ) 

for w e Ao- We assume w.l.g that dimensions of both sets of registers are 
identical 5 : 

1. srf* and 88* run the ideal functionality for the SWAP-gate upon registers 

2. applies the decryption operator K^, (w) = (X^, (w)©X^» (w), (w)® 
(w)) to each of her wires w g _4o- 

3. ^* applies the decryption operator for key if^, (w) = (X^, {w)®X^, (w), 

(w) ffi Z^, (w)) to each of his wires w e Bo- 

In the following subsections 5.1 to 5.3, we describe the evaluation phase for each 
gate in 14 Q. 

Swapping for key-releasing. Notice that the key-releasing phase only uses 
the SWAP-gate with classical input states. The reader might therefore wonder 
why this functionality is defined quantumly when a classical swap would work 
equally well. The reason is that, perhaps somewhat surprisingly, a classical swap 
is a potentially stronger primitive than a quantum swap. From a classical swap 
one can build a quantum swap by encrypting the quantum states with classical 
keys, exchange the encrypted states using quantum communication, and then 
using the classical swap to exchange the keys. Obtaining a classical swap from 
a quantum one, however, is not obvious. Suppose that registers A and B should 
be swapped classically while holding quantum states beforehand. These registers 
could be entangled with some purification registers before being swapped. Using 
a quantum swap between A and B will always leave these registers entangled 
with the purification registers until they become measured while a classical swap 
will ensure that A and B become unentangled with the purification registers after 
its invocation. In other words, a classical swap could prevent an adversary from 
exploiting entanglement in his attack. 

The ideal AND-box functionality. As we are going to see next, a call to an 
ideal AND-box is required during the evaluation of the R-gate. Unlike the ideal 
SWAP used for key-releasing, the AND-box will be modeled by a purely classical 
primitive denoted AND-box. This is required for privacy of our protocol since 



5 Otherwise, add enough registers initially in state |0) to the smaller set. 



any implementation of it by some unitary will necessarily leak[21]. The quantum 
operation implementing it will first measure the two one-qubit input registers in 
the computational basis in order to get classical inputs {0, 1} for srf* and 

S3* respectively. The classical output bits are then set to a <E_r {0, 1} for srf* and 
b = a © xy for SB* . 




5.1 Computing over Encrypted States 

Before the execution of Gj+i in Cjj, sd* and SB* share an encryption of pj = 
{{Gj ■ Gj-i ■ . . . ■ G\) <g> 1-jz) ■ Pin in registers 6 holding wires »6ioU Bo- Each 
wire w e Ao U Bq is encrypted by a shared quantum one-time pad as 

x ^,(.)Wi.(-)^,W®^.W| lw j . p . ; ( 2 ) 

w£.AoUBo / / 

where (w) := (X^ (w), Z*,. (w)) e {0, l} 2 and (w) := (X^, (w), Z^, (w)) e 
{0, l} 2 are two bits of secret keys for srf* and ^* respectively. In other words, 
wires w e _4o U are encrypted by X X Z Z where x = X^, (w) © -^Jg. (w) and z = 
Z^» (w) © Zjg„ (w) are additive sharings for the encryption of w. Then, evaluating 
Gj + i upon state (2) will produce a new sharing if^ +1 (w) := (X^ +1 (w), Z^ +1 (w)) 
and i^^ +1 (w) := (X^ +1 (w), Z|j +1 (w)) for the encryption of state pj+i = (Gj+i © 
• Pj- in the following, we describe how to update the keys for the wires in- 
volved in the current gate to be evaluated — all other wires retain their previous 
values. 



5.2 Evaluation of Gates in the Pauli and Clifford Groups 

Pauli gates. Non-trivial Pauli gates (i.e., X, Y, and Z) can easily be computed 
on encrypted quantum states since they commute or anti-commute pairwise. Let 
Gj + i G {X, Y, Z} be the Pauli gate to be executed on wire w. We have: 

G j+1 (l^'WWi.(")2 z i.W© z i.W) = ± ^'W ffiX i'Wz z ^W® z i'W) G 3 

It means that up to an irrelevant phase factor, it suffices for the owner of w to 
apply Gj + i without the need for neither party to update their shared keys, i.e., 
■■= and K^(y) := i^»(w). 



H, P, and CNOT on local wires. Now, suppose that Gj+i € {H, P}. Each of 
these one-qubit gates applied upon wire w will be computed by simply letting 
the party owning w apply Gj + \. Since 

H fl^.W^.W z 2i,W®zi,W) = Cx z i.W© z i.W H , and 



To ease the notation in the following, we assume pj £ D(Ao <8> Bo) rather than in 
D(A) ® Bo ® TV). It is easy to see that this can be done without loss of generality. 



the encryption keys are updated as follows: 



H:^ 1 = (X^+ 1 (w),^+ 1 (w)) 
^ 1 = (X^ 1 (w),4 + , 1 (w)) 

P:^ + . 1 = (^t 1 (w),Z^ 1 (w)) 
^t 1 = (Xit 1 (w),4 + , 1 (w)) 



= (^,(w),X^(w)) , 

=(zi.(w),xi.(w)) , 



(x^(w),x^(w)e^,(w)) 



(A^»(w),X^(w)©^(w)) . 



Any one-qubit gate in the Clifford group can be implemented the same way using 
their own commutation relations with the Pauli operators used for encryption. A 
CNOT-gate on local wires can be evaluated in a similar way. That is, whenever 
both wires w and w' feeding the CNOT belong to the same party. Assume that 
w is the control wire while w' is the target and that s/* holds them both(i.e., 
w,w' G Ao). Then, s/* simply applies CNOT on wires w and w'. Encryption keys 
are updated as: 

CNOT : ^V(w) = (X>£(*),Z>£W) := (X^(w),^,(w) © Z^.(w')) , 

i^+V) = (x£;V),^V)) == (4(»>^.W,^(«')) , 

^(w) := Ki^) and K£\J) := K^tf) . 



When 3&* holds both wires, the procedure is simply performed with the roles of 
sf* and 28* reversed. 



1*0, 0> 



|f r o,o> < 
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Nonlocal CNOT. We now look at the case where Gj+i = CNOT upon wires w 
and w', one of which is owned by s/* while the other is owned by 38* . In this 
case, interaction is unavoidable for the evaluation of the gate. Let us assume 
w.l.g that s/* holds the control wire w while 2§* holds the target wire w' (i.e., 
w G Ao and w' G Bo)- We start from a construction introduced in [11] in the 
context of fault tolerant quantum computation. 

The idea behind the sub-protocol is de- 
picted in Fig. 3. The effect of the Bell mea- 
surement is to teleport the input state of wires 
w and w' through the CNOT-gate[ll]. The in- 
put to the CNOT appearing in the circuit of 
Fig. 3 is independent of both input wires w 
and w' (they are just two half EPR-pairs). 

The sub-protocol for the evaluation of 
CNOT simply consists in executing the circuit 
of Fig. 3 without the decryption part (i.e., the 
part inside the dotted rectangle). The state 

|£) := (1 A <8> CNOT ® l B )|^o,o)|^o,o) can be prepared by one party. We let the 
holder of the control wire (i.e., sf* in Fig. 3) prepare |£) before sending its two 
rightmost registers to the other party. The decryption in the dotted-rectanglc 




Fig. 3. Evaluation of CNOT. 



is used to update the encryption keys according to the measurement outcomes 

{a x ,a z , b x ,b z ): 

CNOT : ^V(w) := (X*,. (w) a x , (w) © a z ) , 
K^(y) :=(Xi.(w),Zi.(w)8 6,) , 
tf&V) :=(X^(w')ea X) Z^( W ')) , 
tf&V) := (X%» (w') © & x , (w') 6,) . 

As for all previous gates, the key updating phase is performed locally without 
the need for communication. 



5.3 Evaluation of the R-Gate 

The only gate left in UQ is Gj+i := R. We assume without loss of generality 
that &/* owns wire w upon which R is applied (i.e., w € Ao). The subprotocol 
needs a call to an ideal AND-box in order to guarantee privacy during the key 
updating process. Observe first that the R-gate commutes with Pauli encryption 
operator Z. It means that applying the R-gate upon a state encrypted with Z 
produces the correct output state still encrypted with Z. However, the equality 
R-X = e _ ™/ 4 yp • R tells us that a P-gate should be applied for the decryption of 
the output when the input has been encrypted using X. This breaks the invariant 
that wires after each gate are all encrypted by Pauli operators. We remove the 
P-gate by converting it into a sequence of Pauli operators. 

Suppose £/'s wire w is encrypted as usual by shared keys K 3 ^, (w) := (X^, (w), Z 3 a 
and K°ag, (w) := (Xig, (w), Z 3 m , (w)). Ignoring an irrelevant global phase, the result 
of applying R on wire w is 

(3) 

Z Z^.(.)©Zi.(»)©^.(.)©Xi.(w) X JfJ,.(.)©Jfi.(w)pJfJ,.(.)©Xi.(w) R ( 

To remove the P-gate, we let 

each party remove his part of X ^*W r r' 

p^.(«)®4«(') in a private in- „ 
teractive process. To do this, 
srf* picks random bits r and 

r' , and £3* picks random bits s x s , (w) s «' 

and s'. srf* applies the operator Fig. 4. Implementation of the R-gate. 

X r Z r' pXi.{») and sends the re _ 

suiting quantum state to SS* . SS* applies the operator X s Z s P x sg*( v *> and sends 
the result back to srf* . The resulting protocol is shown in Fig. 4. It starts with 
£/* applying R upon the encrypted state before the one-round interactive process 
described above starts. 

After ^/*'s application of R, the resulting state is as described on the right- 
hand side of (3). At the end of the process (i.e., circuit of Fig. 4), the encryption 




becomes: 

Z s' x spX^, (w) z r 'x r P x ^* (w) 

(4) 

^2^. W®zi< W®^. W®4. Wi4. W©4« W p x i. w©4. W 

Since Z and P commute and P • X = XZ ■ P, we can re- write (4) (i.e., up to an 
irrelevant phase factor) as 

Z s'®r'®r-X 3 m , (w) x sfSrpX^, (w)+X^. (w) 

z z^, (w)ffizi, (»)exi, (w) x x^, (w)x^ (w)©xi, („) 

Using the fact that for a, & e {0, 1}, P a+b = Z ab P a<Bb , the previous equation can 
be re-written as 



^s'ffir'ffiZ^, (w)ffiZ^, (w)ffiX^. (w)ffiXa,, (w)ffi(rffiX^, (w))-.x£, (w) 

X s ® r p x ii* Wj^. (w)ex^, (») p x^„ («)©xi» « _ 

Moving the leftmost P-gate to the right results in Pauli encryption, 

Z s'®r'®X^, (w)ffiX^, (w)ffiZ^, (w)ffiZi, (w)e(reX^, (w))-X^, (w) 

^sffirffiX^, (w)ffiX^,» (w) 



(5) 



(6) 



Encryption (6) is not a proper additive sharing since the Z-operator depends on 
{r®X 3 ^, (vi))-Xig, (w); the logical AND between a value known only by &/* (i.e., r© 
X^,(w)) and a value known only by S§* (i.e., X^»(w)). 
To get back to an additive sharing, srf* and 



AND-BOX 



33* can simply call the AND-BOX once with r © x i»( M ) 

inputs r © X^* (w) and XL. (w) respectively ^^a* 

as depicted in Fig. 5. After this, £/* and „. _ „ , , ,, 

™ , r , , Fig. 5. a p — (r &) X J ,«(u)) 

S§ share a proper encryption of the result- x ^ (y) from an AND _ BOX . 

ing state. The new encryption key for «e/*'s 

wire w becomes: 

R : (w) := (r © X^, (w), r' © a © Z*,. (w) © (w)) , 
(w) :=(»9 Xi. (w) , s' © /3 © (w) © (w)) . 



5.4 On the Necessity of Swapping Privately 

One may ask whether relying upon SWAP is necessary for the protocol to be pri- 
vate against specious adversaries. For instance, what would happen if one party 
announces the encryption keys before the other party? We now show that as soon 
as one party gets the other party's decryption key before having announced its 
own, a specious adversary can break privacy. 

Consider the protocol for a quantum circuit made out of one single CNOT- 
gate. Suppose that &/* holds the control wire w while 88* holds the target wire w'. 



Suppose also the key-releasing phase first asks ^* to announce the encryption 
keys .K^, (w) before srf* announces K^,(w'). Suppose si/'s input state is |0). 

The adversary srf can now act as follows, srf runs the protocol for CNOT 
without performing the Bell measurement until she receives the encryption key 
b z from SS* . Clearly, si/'s behavior is specious up to that point since she could 
re-produce the honest state by just applying the Bell measurement on her input 
state stored in register Aq. However, given b z she could also in principle compute 
the CNOT upon any input state of her choice. This means that the state she 
holds after b z has been announced and before applying her Bell measurement 
contains information about <S?*'s input. On the one hand, when jz/'s input state 
is |0) no information whatsoever on &*'s input state should be available to her 
(i.e., in this case CNOT behaves like the identity). On the other hand, had her 
input state been |— ), information about ^*'s state would have become available 
since the control and target wires exchange their roles when the input states are 
in the Hadamard basis. However, when si/ 'a input state is |0), any simulation of 
her view can only call the ideal functionality with input state |0). It follows that 
no simulator can reproduce si/'s state right after the announcement of b z . 

6 Main Result and Open Questions 

Putting Lemma E.l and Lemma E.2 together gives the desired result: 

Theorem 6.1 (Main Result). Protocol P{J is statistically private against any 
statistically specious quantum adversary and for any U G U(.4o ® ^o)- If U is in 
the Clifford group then the only non-trivial oracle call in & is one call to an ideal 
SWAP. If U is not in the Clifford group then contains an additional oracle 
call to AND-BOX for each R-gate in the circuit for U. 

It should be mentioned that it is not too difficult to modify our protocol in 
order to privately evaluate quantum operations rather than only unitary trans- 
forms. Classical two party computation together with the fact that quantum 
operations can be viewed as unitaries acting in larger spaces can be used to 
achieve this extra functionality. Privacy can be preserved by keeping these extra 
registers encrypted after the execution of the protocol. We leave this discussion 
to the full version of the paper. 

A few interesting questions remain open: 

— It would be interesting to know whether there exists a unitary transform that 
can act as a universal primitive for private two-party evaluation of unitaries. 
This would allow to determine whether classical cryptographic assumptions 
are required for this task. 

— Finally, is there a way to compile quantum protocols secure against specious 
adversaries into protocols secure against arbitrary quantum adversaries? An 
affirmative answer would allow to simplify greatly the design of quantum 
protocols. Are extra assumptions needed to preserve privacy against any 
adversary? 



7 Acknowledgements 



The authors would like to thank the referees for their comments and suggestions. 
We would also like to thank Thomas Pedersen for numerous helpful discussions 
in the early stage of this work. 

References 

1. Physical Review Letters, volume 78, April 1997. 

2. D. Aharonov and M. Ben-Or. Fault-tolerant quantum computation with constant 
error. In 29th Annual ACM Symposium on Theory of Computing (STOC), pages 
176-188, 1997. 

3. Andris Ambainis, Michele Mosca, Alain Tapp, and Ronald de Wolf. Private quan- 
tum channels. In 41st Annual IEEE Symposium on Foundations of Computer 
Science (FOCS), pages 547-553, 2000. 

4. Michael Ben-Or, Claude Crepeau, Daniel Gottesman, Avinatan Hassidim, and 
Adam Smith. Secure multiparty quantum computation with (only) a strict honest 
majority. In 4.7th Annual IEEE Symposium on Foundations of Computer Science 
(FOCS), pages 249-260, 2006. 

5. Charles H. Bennett, Gilles Brassard, Claude Crepeau, Richard Jozsa, Asher Peres, 
and William K. Wootters. Teleporting an unknown quantum state via dual classical 
and einstein-podolsky-rosen channels. Physical Review Letters, 68(21) :1895-1899, 
March 1993. 

6. Anne Broadbent, Joseph Fitzsimons, and Elham Kashefi. Universal blind quantum 
computation, December 2009. available at http://arxiv.org/abs/0807.4154. 

7. Ran Canetti. Security and composition of multiparty cryptographic protocols. 
Journal of Cryptology, 13(l):143-202, 2000. 

8. Claude Crepeau, Daniel Gottesman, and Adam Smith. Secure multi-party quan- 
tum computation. In 34th Annual ACM Symposium on Theory of Computing 
(STOC), pages 643-652, 2002. 

9. Ivan B. Damgard, Serge Fehr, Carolin Lunemann, Louis Salvail, and Chris- 
tian Schaffner. Improving the security of quantum protocols via commit-and- 
open. In Advances in Cryptology — CRYPTO '09, volume 5677 of Lecture Notes 
in Computer Science, pages 408-427. Springer, 2009. Full version available at: 
http://arxiv.org/abs/0902.3918. 

10. Daniel Gottesman and Isaac L. Chuang. Demonstrating the viability of universal 
quantum computation using teleportation and single-qubit operations. Nature, 
402:390-393, November 1999. 

11. Daniel Gottesman and Isaac L. Chuang. Quantum teleportation is a universal 
computational primitive, http://arxiv.org/abs/quant-ph/9908010, August 1999. 

12. G. Gutoski and J. Watrous. Quantum interactive proofs with competing provers. 
In 22nd Annual Symposium on Theoretical Aspects of Computer Science (STAGS), 
volume 3404 of Lecture Notes in Computer Science, pages 605-616. Springer, March 
2005. 

13. Joe Kilian. Founding cryptography on oblivious transfer. In 20th Annual ACM 
Symposium on Theory of Computing (STOC), pages 20-31, 1988. 

14. Hoi-Kwong Lo. Insecurity of quantum secure computations. Physical Review A, 
56(2):1154-1162, 1997. 



15. Hoi-Kwong Lo and Hoi Fung Chau. Is quantum bit commitment really possible? 
In Physical Review Letters [1], pages 3410-3413. 

16. Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. 
In Physical Review Letters [1], pages 3414-3417. 

17. Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum 
Information. Cambridge university press, 2000. 

18. Sandu Popescu and Daniel Rohrlich. Quantum nonlocality as an axiom. Founda- 
tions of Physics, 24(3):379-385, 1994. 

19. Sandu Popescu and Daniel Rohrlich. Causality and nonlocality as axioms 
for quantum mechanics. In symposium on Causality and Locality in Mod- 
ern Physics and Astronomy: Open Questions and Possible Solutions, 1997. 
http:/ /arxiv.org/abs/quant-ph/9709026. 

20. Renato Renner and Robert Konig. Universally composable privacy amplification 
against quantum adversaries. In Theory of Cryptography Conference (TCC), vol- 
ume 3378 of Lecture Notes in Computer Science, pages 407-425. Springer, 2005. 

21. Louis Salvail, Miroslava Sotakova, and Christian Schaffner. On the power of two- 
party quantum cryptography. In Advances in Cryptology — ASIACRYPT 2009, 
volume 5912 of Lecture Notes in Computer Science, pages 70-87. Springer, 2009. 

22. Peter W. Shor. Fault-tolerant quantum computation. In 37th Annual IEEE Sym- 
posium on Foundations of Computer Science (FOCS), pages 56-65, 1996. 

23. Adam Smith. Techniques for secure distributed computing with quantum data. 
Presented at the Field's institute Quantum Cryptography and Computing work- 
shop, October, 2006. 

24. John Watrous. Limits on the power of quantum statistical zero-knowledge. In 43rd 
Annual IEEE Symposium on Foundations of Computer Science (FOCS), pages 
459-468, 2002. 

25. Stefan Wolf and Jiirg Wullschlcger. Oblivious transfer and quantum non-locality. 
In International Symposium on Information Theory (ISIT 2005), pages 1745-1748, 
2005. 

26. Andrew Yao. How to generate and exchange secrets. In 27th Annual IEEE Sym- 
posium on Foundations of Computer Science (FOCS), 1986. 



A Commutations Rules 



X = 

p = 



"0 1" 


, y = 


-1" 




'1 " 


, z = 


1 


1 




-1 



1 

i 



H = 



1 



y/2 
CNOT = 



1 1 

1 -1 

10 
10 
1 
10 



R = 



1 

e^/ 4 



B Classical Definition of a Specious Adversary 

In this section we briefly discuss the definition of an specious adversary and the 
definition of security against such an adversary, and we compare it to the notion 
of a semi-honest classical adversary to illustrate the difference. 
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Fig. 6. Commutation relations for X. 



B.l Specious Adversary 

As usual we let an n-party function (y\, . . . , j/„) = /(xi, . . . , x„) define n func- 
tions J/j = /i(xi, . . . ,x„). 

For our purpose, an n-party protocol ir = (iri, . . . ,7r„) consists of n parties 
TTi connected by secure channels. If the protocol is for the /i-hybrid model, for an 
n-party function h, there are additionally some designated rounds where each 
TTi must specify an input a.j to h. Then (bi, . . . , b n ) — h(a\, . . . , a n ) is computed 
and each 7Tj is given back bi . A receiving point in a protocol is a point where the 
parties just exchanged messages or just received outputs bi from h. 

For an n-party protocol it and for H C {1, . . . , n} we denote by tth the set 
{^i}ieH of parties indexed by i e H. 

For an n-party protocol it and for C C {1, . . . , n} we denote by ttc an adver- 
sary for 7r acting on behalf of parties indexed by i e C. It receives the inputs, 
randomness and messages of all parties indexed by i € C and decides what 
messages they should send. By^g, ire) we mean the protocol consisting of the 
parties TTi, i & C, running with the adversary ttq- 

We use the following notation for vectors. We sometimes identify a vector 
v = (i>i, . . . , v n ) with the set {(i, F° r S C {1, . . . , n} we let vs be 

the vector v restricted to indices in S, formally v$ — {(«,Wi)}ies- For Si, 6*2 C 
{1, . . . , n} with 5i n ^2 — we let (v Sl ,vs 2 ) = v Sl U v S2 . 

Definition B.l (execution of (corrupted) protocol). For an n-party proto- 
col tt and input x — (xi , . . . , x n ), the distribution tt(x) is defined as follows: sam- 
ple r = (ri, . . . , r n ) uniformly at random. Run tt on input x and randomness r. 
Let y = (j/i, . . . , y n ), where yi is the output of party TTi, and let tt{x) = (x, y). For 
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Fig. 7. Commutation relations for Z. 



an n-party protocol tt, input (x\, . . . , x n ), subset C C {1, . . . , n}, adversary ttq 
and tt = (ttq^ttc), the distribution n(x) is defined as follows: Sample fi, i <G C, 
uniformly at random. Sample Ti, i^LC, uniformly at random. Let tt — (jTQ,Ttc)- 
Run 7r on input x and randomness {rg^fc)- Let yc be the output of the adver- 
sary, let be the outputs of the parties ttq, and let w(x) = (x, (y^, yc))- 

Definition B.2 (specious adversary). Let tt be an n-party protocol, let C C 
{1, . . . , n}, let ttc be an adversary, let tt = {tt c , ttc)- We say that ttc is specious 
in tt if there exists a poly-time view simulator V such that for all inputs x = 
(xi,..., x n ) and for all receiving points p in tt it holds that and have 
the same distribution, where the distribution is defined as follows: sample 
r = (n, . . . , r n ) uniformly at random. Run tt on input x and randomness r until 
receiving point p. Let M — (Mi, . . . , M n ), where Mi is the messages sent and 
received by party TTi, and let — (x,r,M). The distribution is defined 

as follows: Sample n, i £ C, uniformly at random. Sample fi, i <G C ', uniformly 
at random. Run tt on input x and randomness (r c ,fc) until receiving point p. 
Let Mc be the messages sent and received by the adversary ttc, let ALp be the 
messages sent and received by parties tt c , let (rc,Mc) = V(p, xc, fc,Mc), and 
letDW = (x,(r c ,rc),(M c ,M c )). 

Definition B.3 (specious security). Let tt be an n-party protocol and let f 
be an n-party function. By 5* we denote the dummy protocol for f: it runs in the 
f -hybrid model and party S{ on input Xi sends Xi to f , waits for the output yi 
from f, outputs yi and terminates. We say that tt is a specious implementation 
of f against corruptions from adversary structure C if for all C e C and all 



adversaries nc which are specious in it there exists an adversary 6 C which is 
specious in 5? such that (n c ,nc)(x) — (S^,5 c )(x). 

The adversary S c is also called the simulator. It gets the input xc and can 
then choose alternative inputs x' c . Then it receives y' c , where y' = f(x c ,x' c ), 
and outputs some yc- In the dummy protocol, there is only one receiving point, 
namely after the ideal evaluation of /. So, for S c to be specious in 5? it needs 
only be able to compute the correct view at this point. The correct view is yc 
for y = f(x), so a specious S c (in 5?) can by definition compute yc from xc, x' c 
and y' c (and its own randomness if it is randomized). In words, being specious 
in the ideal process means that for all inputs x you give an alternative input to 
/ which allows to reconstruct the right output. 

Note that if we consider an n-party function / where all parties receive the 
same output, /, = fj, then it is clear that for S c to be specious it should hold 
that f{xQ,xc) — f( x ) f° r a ll inputs x, as f{xc,xc) is included in the messages 
received by 5^. In words, for a function / with common output, being specious 
in the ideal process means that for all inputs x you give an alternative input to / 
which makes / give the right output; You can therefore only make insignificant 
changes to your true input. 

B.2 Specious Adversaries can be Stronger than Semi-Honest 
Adversaries 

In some settings a specious adversary is strictly stronger than a semi-honest ad- 
versary. We demonstrate this by first giving a protocol for one-out-of-two obliv- 
ious transfer (OT) which is secure against a poly-time semi-honest adversary, 
but insecure against a poly-time specious adversary. We then show that there 
exists a function / and a protocol n which is a perfectly secure implementation 
of / against an unbounded semi-honest adversary in the OT-hybrid model, but 
insecure against even a poly-time specious adversary. The first example exploits 
that a specious adversary can prepare its randomness in any way it wants. The 
second example exploits that a specious adversary can provide any input it wants 
to ideal functionalities (in our case the OT's of the OT-hybrid model) as long 
as it can later make it look as if it gave the right input. 

Theorem B.4. Under the computational assumption given below, there exists a 
protocol which is a secure implementation of oblivious transfer against a static, 
poly-time semi-honest adversary but which is insecure against a static, poly-time 
specious adversary. 

Assume that we have a family of trapdoor permutations, where the descrip- 
tion of a random permutation is a random string. More formally: 

— on input n € N the generator G outputs (i,t), where i is uniformly random 
in some {0, and G runs in poly-time in n. 

— Each index i G {0, 1} £ defines a permutation pi : {0, 1}" — > {0, 1}". Given 
i g {0, l} e and x G {0, l} n one can compute y — Pi(x) in poly-time in n. 



— Given t, where (i,t) <— G(n) and y e {0, 1}" one can compute x = p^ 1 {y) 
in poly-time in n. 

— It holds for all poly-time algorithms A that the probability that it outputs 

p i (y) on input (i,y), where (i,t) <— G(n) and y £ {0, 1}™, is negligible in 
n. 

On security parameter n the protocol runs as follows: 

1. The sender S has input two messages mo, mi <E {0,1}. 

2. The receiver R has input a choice bit c e {0, 1}. 

$ 

3. R samples (i c ,t c ) G(n) and ii_ c e {0, and sends (io,h) to S. 

$ 

4. S samples x , xi e {0, 1}" and sends (j>i (xo), H(xo)(Bmo) and (pi 1 (x\), H(xi)(B 
mi), where H is a (possibly randomized) hard-core bit for p. 

5. R uses t c to compute m c = H(p~ 1 (p ic (x c ))) © (H(x c ) ® m c ). 

It is straight-forward to prove that this protocol is computationally secure 
against a static semi- honest adversary in the stand-alone model [7]: The security 
for the receiver is perfect, and the receiver picks ii- c as to not learn ti- c and 
hence H(xi- C ) rni_ c hides toi_ c in the sense of semantic security. 

On the other hand it is clear that the protocol is not secure against a specious 
adversary: A specious adversary runs the protocol honestly, except that it pre- 
pares ii_ c by sampling (ii_ c , ti_ c ) <— G(n) and then uses ti_ c to learn mi_ c . 
The view simulator V adds «i_ c to the random string r such that an execution 

$ 

of R on r samples the uniformly random ii_ c e {0, 1} £ . 

Theorem B.5. There exists a function f and a protocol 7r such that ir is a per- 
fectly secure implementation of f in the OT hybrid model against a static, un- 
bounded semi-honest adversary, but insecure against a static, poly-time specious 
adversary. 

Proof. We look at a function (a, b) i-> (x,y). Let a be a bit, let b = (bo,bi) be 
two bits, and let x = b a and y = e. Consider the following protocol tt: it contains 
two applications of OT, where in both 3& will offer input (bo,bi) and where in 
both srf will input a. At the end srf outputs b a . 

It is trivial that tt is perfectly secure against a semi-honest adversary. It is, 
on the other hand, also clear that tt is not secure against a specious adversary, 
as srf can use selection bit 1 — a in the second OT to learn 6i_ a and then output 
(&o,6i). In the transcript a of received messages the view simulator V simply 
replaces &i_ by b a as the message received from the second OT, so srf is indeed 
specious. It is also clear that no simulator for the ideal model (even if it was 
allowed active corruptions) can always output both 6 an d &i- □ 

C Proof of Theorem 4.1 

Suppose that there exists an ^-correct, ^-private protocol in the bare model for 
SWAP for sufficiently small e; we will show that this implies that one of the 



two players must lose information upon receiving a message, which is clearly 
impossible. 

We will consider the following particular pure input state: \ip) := l^o)" 4 ^" 4 ® 
l^o,o) B ° KS : a maximally entangled state between Aq ® B a and the reference 
system TZa <g> 7\Lg that is broken down into two subsystems for convenience. 
Furthermore, we will consider the "purified" versions of the honest players for 
this protocol; in other words, we will assume that the super-operators . . . , srf n 
and £§i , . . . , 98 n are in fact linear isometries and that therefore the players never 
discard any information unless they have to send it to the other party. The global 
state pi(<p) after step i is therefore a pure state on Ai ® Bi ® 7£a ® 

After step i of the protocol (i.e., after the ith message has been sent), Alice's 
state must either depend only on her own original input (if ft = for her 
simulator), or on Bob's original input (if ft = 1). More precisely, by the definition 
of privacy (Definition 3.4), we have that 



where Vi(s^,(p) is £/'s simulated view after step i and pi((p) is the global state 
in the real protocol after step i. Now, suppose that qi — 0, and let |£) S Ai <8> 
7?.^ <g> ®Z be a purification of Vi(s^, <p) with Z being the purifying system, 
and TZb renamed for upcoming technical reasons. The pure state |£) <8> |^o,o) Kse ° 
has the same reduced density matrix as Vi{s$ ', ip) on Ai ® TZ_a <8> Hence, by 
Uhlmann's theorem, there exists a linear isometry V : Bi — > Bo ® -2 ® such 
that 

= |0 (£| ® |^o,o><^o,o| Bo ^ B 

and hence 

A (^(^0,10^1 ® l^o,o><*o,o| Bo7lB ) < . 

This means that if ft = 0, then Bob is still capable of reconstructing his own 
input state after step i by applying V to his working register. Clearly, this means 
that q • = (i.e., Bob's simulator must also not call SWAP), and therefore, by 
the same argument, Alice must also be able to reconstruct her own input with 
an isometry Va ■ Ai — > Bq® Z <g> 1Z' A . The same argument also holds if ft = 1: 
we then conclude that 5^ = 1 and that Alice and Bob must have each other's 
inputs; no intermediate situation is possible. We conclude that, at every step i 
of the protocol, ft = q[. 

Now, before the protocol starts, Alice must have her input, and Bob must 
have his, hence, qa = q' = 0. At the end, the two inputs must have been swapped, 
which means that q n = q' n = 1; there must therefore be a step k in the protocol 
after which the two inputs are swapped but not before, meaning that ft = 1 and 
ft_i = 0. But at each step, only one player receives information, which means 
that at this step k, the player who received the message must lose the ability to 
reconstruct his own input, which is clearly impossible. □ 



D The Rushing Lemma 



Specious adversaries are guaranteed to get the correct output state after the 
execution of a correct protocol. This implies that at the end of the protocol, any 
extra working registers (used to implement its attack) of any specious adversary 
are independent of the joint input state of the computation. In other words, no 
extra information is available to the adversary at the very end of the protocol. If 
the adversary can break the privacy of a protocol for the two party evaluation of 
unitaries then it must do so before the last step. The adversary must therefore 
rush to break privacy before the protocol ends. 

Lemma D.l (Rushing Lemma). Let LT^ = (gtf,3§,n) be a correct protocol 
for the two party evaluation of U. Let srf be any e -specious adversary in 11® . 
Then, there exist an isometry T : A n — > A n ® A and a mixed state g € ~D(A) 
such that for all joint input states p m e D(Ao ® Bq®TZ), 

Zi((T® 1 Bb ®w) (K©^](Pin)) (V t <8>lB„ (8 70.e® (U® l K )/Oin(^ t <»lK)) < 12v^£. 

The same also applies to any e -specious adversary S3: there exists a T : B„ — > 
B n ®B and age D(S) such that 

(U ® l K )/5 i „([/ t ® < 12v^e, 
(8) 

for every p in . 

Proof. We shall only prove the statement for an e-specious srf ; the statement for 
an ^-specious 8$ is identical. Furthermore, by convexity, it is sufficient to prove 
the theorem for pure p m . 

Consider any pair of pure input states and \tp2) in Ao ®#o ® TZ. Now, let 
1Z' :=TZ® IZ2, where 7^2 = span{|l), |2)} represents a single qubit, and define 
the state |V>) := 75(^1) |1) + |^2)|2)) € A ®B ®1l'. Note that tr TC2 (|^X^I) = 
llV'i) (V'll + ilV^XV^I- Due to the correctness of the protocol and to the specious- 
ness of there exists a quantum operation : L(A n ) — > L(-4„) such that 

A [{X ® i L(Bn ^ )(K © ^](|V)(VD), (c/ ® l w )|V><Vl(C ® IkO 1 ) < 2e. 

Now, consider any isometry T : A n — > -4„ ® .4 such that ^(cr) = tr ^(TaT^) 
for every cr € L(.4„) — in other words, any operation that implements 2T n while 
keeping any information that would otherwise be destroyed in A. By Uhlmann's 
theorem, there must exist a state g € D(^4) such that 

A ((t® i B „®w) ([■^©^(IVXV'I)) (2* ® i B „®w).e® ® i^MM^ ® < 

Now, the trace distance is monotonous under completely positive, trace non- 
increasing maps. In particular, we can apply the projector Pi = ^h(A n <g>B n <s>n) ® 



|1)(1| to both states in the above trace distance and the inequality will still hold. 
In other words, we project both states onto |1) on 7^2 > thereby turning \ip){ip\ 
into 2 1 Vi) {V'l I - Factoring out the \, we get that 

A ((T® l Bn9 n) ([J*®0\(\ik){ih\j) ( T ® *B n »K?,Q® (U® ItOI^XM^ ® Ik)) < 4\/2i. 
Likewise, projecting onto |2) yields 

Our only problem at this point is that g in principle depends on \ipi) and |"02)- 
However, repeating the above argument with \?pi} and ^3) for any ^3) will yield 
a g' with 

A ((T® 1 Bb0W ) (K ® ^](|V>i)<V>i|)) (T®l BB0W )t, ® ([/ ® 1^)1^1)^1 1 (C/ f ® Ik)) < 4^27 

and hence, by the triangle inequality, A(g, g') < d>\f2e. Therefore, for any state 
\<p) G Ao ® So ® 72., there exists a state p G A with g) < &V2e such that 

A ((T® 1 Bb0W ) (V~® J?](|^|)) (T® l Bn ^)t,p® (f/® l^)|^)^|([/t < 4^27. 
The lemma then follows by the triangle inequality: 

A ((T® 1 Bb0W ) (V©^](|<^|)) (T® l Bn0TC )t,e® (?7® ® i K )) 

<^((T®l Bn ^) (Vcsi^KI^I)) (T® l e „^)t,p® (C/® l K )|^)(^|(C/t i K )) +A(p,g) 

< 4\/2e + 8\/2e = 12\/2e 

□ 

E Proof of Privacy 

In the following we prove the privacy = {srf*,£8*, nu + 1) against specious 
quantum adversaries and that for any unitary U G U(.4o ® #0) represented by a 
quantum circuit Cjj with u gates in UQ . We provide families of simulators S^j 
and for any specious quantum adversaries srf and & respectively. Since the 
protocol has nu oracle calls, it is sufficient to provide simulators for each of these 
njj steps since the final quantum operations (i.e., srf nu +i and 3§ nu +\) are local. 
No simulator for a round occurring before the start of the key-releasing phase 
needs to call the ideal functionality for U. The output of these simulators will 
be shown identical to the adversary's view (i.e., the simulation is perfect) even 
if the adversary is arbitrarily malicious. Only the last simulator of each family 
needs to call to the ideal functionality for U. The last simulation produces a 
state that is essentially \J~i— close to adversary's view provided it is £-specious. 

First, we show privacy of the evaluation phase before addressing privacy of 
the key-releasing phase. Privacy of the entire protocol will then follow. 



E.l Privacy of the Evaluation Phase 



We start by showing privacy of protocol P® — {srf* ,38* ,n\j + 1) at all steps 
1 < i < njj — 1 occurring during the evaluation phase of quantum circuit Cjj 
implementing U with u gates in UQ. The last step of the evaluation phase is 
njj — 1 since only one oracle call is left to complete the execution. This phase 
is the easy part of the simulation since all transmissions are independent of the 
joint input state p- m £ D(^4o <S> Bo <8> TV). The theorem below provides a perfect 
simulation of any adversary's view generated during the evaluation of any gate 
in Cjj. No call to the ideal functionality for U is required. 

Theorem E.l (Privacy of the Evaluation). P^ = , 38* , n v + 1) admits 
simulators y{stf) and y{38) that do not call the ideal functionality for U G 
V(Ao <8> Bo) such that for any joint input state p m G D(.4o ® Bo ® TV), every 
1 < i < nu — 1: 

A {yi{s^,p- m ),tv Bi {f>i(si \ Pin))) =0 and A (h>i(3g, p iTl ), tr Ai p in ))) = 0, 

(9) 

This holds against any adversaries srf and 38, not necessarily specious. 

Proof (Sketch). Without loss of generality, we prove privacy only against ad- 
versary srf . The protocol being symmetric, privacy against 38 follows. The proof 
proceeds by induction on the current gate Gj in the circuit Cjj :— G u G u -\ . . . G\ 
evaluated in Pjj . We provide simulators 5^* producing &/'s view after the evalua- 
tion of Gj . During the execution of Gj , srf may receive at most one message from 
38 and may call the ideal AND-BOX at most once (when Gj = R). It means that 
during the evaluation of Gj, no, one, or two simulations will be needed since it 
consists in no, one or two oracle calls out of which at most one is non-trivial. Let 
s[j] € {0, 1, 2} for 1 < j < u be the number of steps to be simulated during the 
evaluation of Gj. Let i[0] := and i[j] — s[j]+i[j — l] for 1 < j < u be all steps to 
simulate for the evaluation of GjGj-i ■ ■ ■ G\. In order to fulfill privacy as defined 
in Definition 3.3, each simulator ,y* must be converted into € y(g/) 

if i[j] — i[j — 1] + 1 (i.e., Gj requires only one step to be simulated and this step is 
amessagefrom 38*) and into {J? i y_ 1 ] +1 , ^ i y_ 1 ] +2 } C y{stf) if i[j] = i{j — l]+2 
(i.e., Gj = R and therefore requires two simulation steps: one message from 38* 
and one call to AND-box) . This conversion is performed the following way. We let 
^b'-ij+i run f ^j until the i[j — 1] + 1 th step is reached. This step is necessarily 
a message transmitted from 38* to £/. lii[j] = i{j — 1]+2 then y%\j\ '■= .5^j which 
corresponds to the simulation of jz/'s view after the call to AND-BOX. We now 
provide <5f* for each gate Gj in Cjj . Notice that we do not explicitly simulates a 
communication from srf to 38* since simulating this step can be performed from 
the simulation of the previous step together with stf quantum operations at the 
current step. 

y* works as follows. It runs stf on her part of the joint input state p m G 
D(_4 ®Bq®1Z) until the first message from the other party is expected. If gate 



Gi does not involve any transmission from 83* then the simulation of gate G\ is 
over (i.e., G\ is in {A, Y, Z, H, P} or a CNOT applied on local wires). Otherwise, 
it prepares the first message sent from 83* . Of course, this message depends on 
G\. We have the following three cases to address: 

CNOT-gate: s/ holds the target wire while 83* holds the control wire. This case 
is the only one where s/ receives something from 83* during the computation 
of a CNOT-gate. S?* then works the obvious way in order to generate the 
first transmission from 83* to srf: 

— prepares |f) = (1 2 <8> CNOT ® l 2 )|f ,o) W ® l^o)^ 1 where W is a 
new working register for the simulator. 5?* then sends register Af to 
si '. This simulates 83*'s transmission to 

— The transmission prepared by S^f is in the same state as when s/ inter- 
acts with 83* upon any input state p- ln . It follows that the output of =5^* 
satisfies: 

A (vi{srf,p- m ),tTB 1 (piO^'Pin))) =0, 

for all input states p m G D(_4 ® So ® TV). 
R-gate: holds the register upon which the gate is executed. In this case, S^f 
provides s/ with 83* 's as follows: 

— S^i prepares and sends 1 2 G D(^4f ) to 

— y* then call the ideal AND-BOX with a random input bit. Notice that 
si cannot distinguish this behavior from 8B* 's since an AND-box is non- 
signaling and can therefore not be used by one party to extract any 
information about the other party's input state (i.e., the output of one 
party can be generated before the input of the other party has been 
provided to the box). 

— As in the case where si interacts with 83* , the first message received 
from y( is in state 1 2 and si's output of AND-BOX is independent of 
83's view. It follows that, 

A ^l(^,Pin),tr Bl (piG^Pin))) =°i 

for all input states p ln G D(.4o ®Bo®TV). 
R-gate: 83* holds the register upon which the gate is executed. provides si 
with 83*'s first transmission the same way than in the previous case: 

— y( prepares and sends 1 2 G D(Af ) to si ' . This simulates 83* transmis- 
sion to si ' . 

— y"( provides the AND-BOX with a fresh random bit as for in the previous 
case. 

— As in the case where si interacts with 83* , the first message received 
from S^i is in state 1 2 and si's output of AND-BOX is independent of 
83*'s view. It follows that, 

A(ui(s/,p in ),tT Bl (pi(s/,p in ))) =0, 



for all input states p in G D(^4q ® &o <8> TV). 



Since the three cases above exhaust all possibilities for a transmission from SB 
to J, 5"l satisfies (9). 

Now, suppose by the induction hypothesis that =^*_i simulates perfectly up 
to and including the j — 1-th step of the adversary srf for 2 < j < n\j — 1. We 
now show how to construct y* simulating perfectly up to an including gate 

Gj. We construct y* the obvious way. y* runs and then simulates srf 

until S§*'s next transmission occurring during the evaluation of Gj. If no such 
message occurs during the evaluation of Gj then y* is done. Otherwise, the 
same three cases described above have to be considered. y* provides srf with 
8$* 's transmission exactly the same way than for y* . The result follows easily. 

□ 



E.2 Privacy of the Key-Releasing Phase 

In order to conclude the privacyof Pff , families y^ and y^ need one more 
simulator each: y nu € y{gtf) and e y{0) corresponding to the sim- 

ulation of the key-releasing phase. This time, these simulators need to query 
the ideal functionality for U and also need the adversary to be specious. We 
show that privacy of the key-releasing phase follows from the "Rushing Lemma" 
(Lemma D.l). The lemma tells us that as soon as the output is available to the 
honest player, it is too late for specious adversaries to break privacy. This is the 
role of the ideal SWAP to make sure that before the adversary gets the output 
of the computation, the information needed by the honest player to recover its 
own output has been given away by the adversary. 

It should be mentioned that we're not explicitly simulating the final state of 
the adversary since simulating the SWAP allows also to get jz/'s final state by 
simply adding g/'s last quantum operation to the simulated view. We therefore 
set step njj in P® to be the step reached after the call to SWAP. This abuses 
the notation a bit since after SWAP, and SB* must each apply a final quan- 
tum operation with no more oracle call. We'll denote by £/ nu +i and SB* lu+1 
these last operations allowing to reconstruct the output of the computation (no 
comunication). 

Lemma E.2. For any e-specious quantum adversaries stf and S3 against Pff — 
{srf* ,S§* ,njj + 1), there exist simulators y nu € y(srf) and y,' nu e y(SB) such 
that for all p ln e B(A ® B ® TV), 

A (fnt/(-^,Pin),tr Bnt/ (p n!7 (.^,Pin))) < 24^26 and 

A(v nu (@,p iTl ),tr Anu (p n[7 (J,Pin))) < 24^27. 

(10) 

Simulators y nu and y' nu call the ideal functionality for U and imply the simu- 
lations of step nu + 1 as well. 



Proof (sketch). Once again, we only prove privacy against adversary stf '. The 
privacy against 3§ follows directly since the key-releasing phase is completely 
symmetric. The idea behind the proof is to run srf and 38* upon a dummy joint 
input state until the end of the protocol. Since the adversary is specious, it can 
re-produce the honest state at the end. The Rushing Lemma tells us that at this 
point, the output of the computation is essentially in tensor product with all the 
other registers. Moreover, the state of all other registers is independent of the 
input state upon which the protocol is executed. The dummy output can then 
be replaced by the output of the ideal functionality for U before s/ goes back 
to the stage reached just after SWAP. 

More formally, we define a simulator 5^ nv € S"(s/) producing s/'s view just 
after the call to SWAP. Let s/$\nap € L(Ao,A nu ) and ^swap e L(Bo,B nu ) be 
the quantum operations run by s/ and 38* respectively until SWAP is executed. 
Notice that at this point, sufs and 38*'s registers do not have any further oracle 
registers since no more communication or oracle call will take place. Let A nu G 
L(A nu ,A nu +i © Z) be the isometry implementing s/'s last quantum operation 
taking place after the call to SWAP (and producing the outcome) and let B nu e 
h(B nu , B nu+ i © W) be the isometry implementing 23* 's last quantum operation. 
Finally, let T <G ~L{A nu +i, A nu +i © A) be the isometry implementing 3? nu+ i as 
defined in Lemma D.l (i.e., the transcript produced at the very end of the 
protocol). As usual , let p m e D(_4 <g> Bo © TZ) be the joint input state of Pff. 
The simulator y nu performs the following operations: 

1. generates the quantum state o-{<p*) — [s/s\NfkP © ^swapKI^*)^* I) *= 
&(A nu ®B nu ) implementing s/ interacting with 38* until SWAP is applied. 
The execution is performed upon a predetermined (dummy) arbitrary input 
state € Ao © Bo. 

2. y nu sets a'{4>*) = (T 'A nu ® B nu ) ■ a (</>*) e D(A nu +i<E)B nu+1 <E)Z<g)A<E)W). 

3. y„„ replaces register A nu+ \ « Aq by sf*'s output of the ideal functionality 
for U evaluated upon p m . That is, 5? nu generates the state <r'(pm) = (U © 
t n )Pin(U © InY © tr Anu+lBnu+1 (</(<£*)) e B(A nu+1 © B nu+1 ®K®Z® 
A®W). 

4. y nu finally sets v nu (sf,p in ) = ti BriuW ((TA nu <g> lB nu+1 nV ■ o-'(p in )) e 

Notice that execution of the ideal SWAP ensures that the keys swapped are 
independent of each other and of the joint input state p ln . This is because for 
any input state, all these keys are uniformly distributed bits if they are outcomes 
of Bell measurements and otherwise are set to 0. By the Rushing Lemma D.l 
and the fact that s/ is ^-specious, we have: 

A ( tT zAw W)) , £© WW 1 ) < 12^27 and 

A ((,% u+ l © l L (B nu + l) ) (K © ^l(Pin)) , Q © U p in U^ < 12 

It follows using the triangle inequality that, 

Zi((^ w+ i©lL(B n „ + o)(K©^1(pin)),tr^ w (a / (p in ))) <24V2~e. (11) 



Using the fact that isometries cannot increase the trace-norm distance and that 
(TA nu Y allows srf to go back from the end of the protocol to the step reached 
after SWAP, we get from (11) that: 



A (v nu {J,p in )MB nu (pnu(^,Pin))) = A ((Xu+l ® lL(B„ u+1 )) (V©^*](/>i 

< 24V2e. 



'in 



)) 



tT ZAW (°"'(An))) 



The statement follows. 



□ 



Theorem E.l and Lemma E.2 imply the privacy of P® against specious ad- 
versaries and that for any U e U(-4 <g> B ) as stated in our main Theorem 6.1. 
When U is in the Clifford group, one call to an ideal SWAP is sufficient to en- 
sure privacy. Unitaries in the Clifford group are, to some extent, the easy ones 
since although an ideal functionality is required for privacy, that functionality is 
unitary and belongs to the Clifford group rather than a classical cryptographic 
primitive. If U is not in the Clifford group however, one additional call to a 
classical AND-BOX is required for each R-gate. This is reminiscent to classical 
circuits with AND gates where oblivious transfer is required to be able to eval- 
uate them privately. In order to implement a classical AND-BOX, commitments 
and quantum communication are sufficient and necessary [9, 14]. 



